This article explores the differences between vulnerability remediation and vulnerability mitigation, two core approaches to managing and reducing cyber risk. It explains how modern IT environments are constantly exposed to threats due to emerging vulnerabilities and highlights the importance of a structured vulnerability management strategy.
Any time threat actors try to compromise an application, server, or another IT system, they search for weaknesses that they can exploit. These weaknesses are low-hanging fruit that makes it easier to achieve malicious goals, whether that means installing malware, encrypting systems with ransomware, or stealing sensitive data from your environment.
Modern IT environments’ fast-paced, ever-changing nature means new vulnerabilities constantly emerge. Businesses and security teams face a race against time to find vulnerabilities and deal with them before it’s too late, either through mitigation or remediation. This article clarifies the difference between risk mitigation vs remediation.
A vulnerability is a flaw in a system that weakens its security and could be targeted by a cybercriminal exploiting it.
Ever since curious-minded individuals began exploring computer systems, software, and networks, they found vulnerabilities that could allow them to retrieve hidden information, escalate privileges or access unexpected resources.
In 1967, a group of high school students found security vulnerabilities in an IBM network of computers and terminals running the APL programming language. This primitive form of ethical hacking helped to strengthen the security of IBM’s future computer systems.
Unfortunately, having a curious mind and hacking systems is not restricted to altruistic or ethical uses. Malicious actors today constantly probe IT environments for vulnerabilities using an array of tools and techniques. While there are many different types of vulnerabilities, here are some of the most common ones that hackers try to exploit:
The pervasive challenges in finding and eliminating vulnerabilities call for a dedicated vulnerability management strategy. The extent of these challenges was evidenced in a joint advisory published by CISA (US), NCSC (UK), and ACSC (Australia) highlighting the top most commonly exploited vulnerabilities in 2021 and 2020. One of these vulnerabilities had a patch available since 2017, while several others had patches released in 2018 and 2019.
Vulnerability management is a systematic approach to continuously identify and eliminate vulnerabilities in your IT environment. The typical steps in vulnerability management are as follows:
Vulnerability management should be an ongoing strategy that reflects how new vulnerabilities regularly emerge in IT environments.
Discussions about vulnerabilities within cybersecurity are sometimes biased towards remediation as the only method of dealing with them. In most cases, the recommended advice is to patch your vulnerabilities and do it ASAP. But this neglects the fact that mitigation is another potential solution for resolving vulnerabilities.
It’s helpful to view vulnerability management in a way that links the process back to the more overarching strategic goal of cyber risk management. Each vulnerability has a certain severity level and a certain likelihood of being exploited. Whatever scores you use to rank your vulnerabilities, the outcome is often an increased risk of exposure or loss.
The question then is how do you want to reduce that risk? For vulnerabilities, you have two broad options:
Remediation through security patches is presented as the ideal resolution method, but it’s sometimes not possible or even necessary at the time. For example, the software vendor might not have a patch available yet, or an important operational system might be vulnerable for which any downtime is intolerable. Or, there could be out-of-date systems that have a vulnerability but those systems aren’t directly accessible or exploitable by malicious actors.
Approaches to remediation involve updating affected software/firmware to the latest version, applying a security patch, changing a configuration, or potentially even removing a vulnerable asset entirely from your environment (e.g. replacing one software solution with another).
Mitigation solutions include isolating a set of vulnerable resources from the rest of the network with segmentation, temporarily disabling an application, or blocking a port that could provide access to a vulnerable resource.
Your choice usually isn’t a straightforward either/or decision between vulnerability remediation and mitigation. In scenarios where remediation approaches aren’t feasible, you can temporarily mitigate before eventually remediating when the situation allows for it.
A study found that 84 percent of tested companies had high-risk vulnerabilities on their internet-facing external attack surface. These vulnerabilities are particularly concerning given that threat actors can trivially discover the assets that make up your external attack surface. It’s important therefore to identify and resolve vulnerabilities in your attack surface arguably before any other class of vulnerabilities.
Dedicated external attack surface management solutions prove useful for this task because they can quickly and automatically discover your complex and expanding external attack surface. These solutions then use the inventory of discovered assets and continuously scan for vulnerabilities.
Collecting important metrics during the cyclical vulnerability management process can improve both remediation and mitigation. Ideally, these metrics will be included in vulnerability management reports. Measurements to consider are vulnerability scan frequency, number of detected vulnerabilities in the current scan, number of open and closed vulnerabilities, and average time to patch high-severity vulnerabilities.
Track these metrics over time and look for trends that indicate potential areas of improvement. Perhaps switch things up by looking for more ways to automate the process of detecting or resolving vulnerabilities.
Bugcrowd’s external attack surface management solution provides essential capabilities for identifying and prioritizing vulnerabilities in your external attack surface. You also get accelerated remediation by being able to connect your workflows and assign vulnerabilities to relevant teams with all the details they require to remediate each vulnerability.
Vulnerability remediation is necessary when organizations aim to completely eliminate identified vulnerabilities from their systems. This approach is typically required for high-risk vulnerabilities or when compliance requirements demand a thorough resolution.
Vulnerability mitigation is appropriate in situations where it may not be feasible or practical to completely resolve the vulnerabilities. This approach is often employed when immediate remediation is not possible or when the risks associated with the vulnerabilities can be sufficiently reduced through compensating controls or alternative security measures.
Vulnerability mitigation is typically considered a temporary or interim solution. While mitigation measures can reduce the immediate risk associated with vulnerabilities, they may not provide a permanent fix. Organizations should aim to prioritize and plan for complete vulnerability remediation whenever feasible and allocate resources accordingly.
Vulnerability mitigation should not replace vulnerability remediation as a general practice. While mitigation can help reduce immediate risk, complete remediation should always be pursued whenever possible. Organizations should prioritize vulnerability remediation to achieve a more robust and secure environment in the long run.